David Rosenthal, in the just published issue 4/2017 of the digma [Swisslex] wrote an essay on the topic of “singularization”, i.e. on the question of whether it is sufficient for the identifiability of a person if this person cannot be identified but can be distinguished from all other persons by a unique date. This question is in the light of all of Art. 4 No. 1 GDPR, according to which any information is considered to be a “personal data” which
in particular by means of Assignment to an identifier such as […] an identification number […] or to one or more particular characteristics expressing the […] identity […].
Recital 26 states in this regard that, in assessing the reference to persons
alle Mittel berücksichtigt werden [shall], die von dem Verantwortlichen […] wahrscheinlich genutzt werden, um die natürliche Person direkt oder indirekt zu identifizieren, such as the sorting out.
Therefore, the question arises whether singling out – i.e., singularizing – is sufficient for establishing the person reference. Rosenthal comes to the following conclusion:
The concept of personal data has not changed with the GDPR. The “relative” approach still applies, which is based on whether or not the person who has access to certain data can identify the persons affected by it. This also applies in the EU, where the ECJ recently confirmed this with its decision regarding IP addresses. The concept of “singularization” does not change this. A data record singularizes a person if, like a fingerprint, it is so specific that it can only refer to him or her, even if it is not known who is involved. Such as with genetic data. The GDPR mentions singularization as an indication of identifiability, but it alone is not sufficient. For this purpose, the article presents the “Reference data test”: According to this, personal data exists if there is a connection between the a match can be made between the data in question and data records of a single, real person already available or accessible to the processor. Genetic data and IP addresses are therefore never per se personal data.